Friday, March 27, 2009

Ultra Antivir 2009

Ultra Antivir 2009 (UltraAntivir2009) is a new rogue. It belongs to the same family as Virusdoctor, VirusMelt, VirusAlarm. The GUI is always the same, only the title name is changing.



Fake online scanners are redirecting to a new (and less expensive) way of hosting malware: Google Code.

trdatasft.com (64.86.17.9)
vmfastscanner.com (64.86.17.9)
tdncgo2009.com (64.86.133.91)
websecscan.com (64.86.133.91)
mysupervisorpop.co.cc (64.86.16.210)
onlinesecurescan.com (64.86.16.210)
vm-onlinescan.net (206.53.61.69)
virusalarm-scanvirus.net (206.53.61.76)
onlinescan-ultraantivirus2009.com (206.53.61.76)





Ultra Antivir 2009 removal instructions

Thanks to Bharath's.

Saturday, March 21, 2009

Antivirus Agent Pro

The Rogue, Antivirus Agent Pro, detects infection on a clean system. It creates random junk files (not executable) and triggers them as infected.



Thanks to Miekiemoes.

Friday, March 20, 2009

Total Security

Total Security is a fake security application. It belongs to Antivirus 360 rogues family (same GUI).





It downloads files from:
platinumsecurityupdate.com (212.117.165.126)
antispywareupdateservice.com (89.149.217.205)

212.117.165.126 is a shared IP with Antivirus 2009 website and installer:
webscannertools.com (212.117.165.126)
central-scan.com (212.117.165.126)

BleepingComputer Removal Guide.
Bharath's Security Blog

Wednesday, March 18, 2009

Renus2008

Renus 2008 is a Fake Security application.



Renus 2008 always detects the same infections files as items strings are hardcoded in the application:



Thanks to Bharath (on Sunbelt Blog).
BleepingComputer Virus-Removal.

Monday, March 16, 2009

WinPC Defender

WinPC Defender is a Fake Security application (from the same creators of XP Police Antivirus, IE-Security, WinDefender 2009 and Total Secure 2009).



Let's see how the rogue detects infection when registered (no reboot, no cleaning):



Nothing more. All detected infections (1st capture) have disappeared !

win-pc-defender.com (206.125.44.28)
xp-police-09.com (206.125.44.28)
xp-police-2009.com (206.125.44.28)
xp-police-antivirus.com (206.125.44.28)
xp-police-av.com (206.125.44.28)
xp-police-engine.com (206.125.44.28)
xp-police.com (206.125.44.28)

XP-Police MAD, XP-Police/IEDef symptoms MAD.
BleepingComputer Removal Guide.

Thursday, March 12, 2009

RegistryFox Rogue

RegistryFox is a Fake Security application from AntiSpyware LLC. The same company that use to create SmitfraudFixTool rogue (from the original and legit application SmitfraudFix), MalwareRemovalBot Rogue, and many other fake stuff.



The two rogue websites are hosted on the same server:
malwareremovalbot.com (74.53.169.2)
registryfox.com (74.53.169.2)

The application is contacting database.registrysmart.com (75.125.200.226) to update the "heavy" data base: 7Kb. IP shared with other rogues softwares:
adwarealert.com (75.125.200.226)
evidenceeraser.com (75.125.200.226)
registrysmart.com (75.125.200.226)
restore-pc.com (75.125.200.226)

In the code, there is a reference to file (DataBase.ref) downloaded from 2squared.com (75.125.61.162):
antispywarebot.com (75.125.61.162)
errorsweeper.com (75.125.61.162)
privacycontrol.com (75.125.61.162)
regclean.com (75.125.61.162)

There is also a link to Antispyware 2009 Rogue setup:
antispyware.com (75.125.241.58)
adwarebot.com (75.125.241.58)
antispyware2009.com (75.125.241.58)
errorsmart.com (75.125.241.58)
regsweep.com (75.125.241.58)

Thanks to NoVirusThanks

Wednesday, March 4, 2009

WinCoDecPRO Fake Codec

WinCoDecPRO is a Rogue like fake software.
While Rogues detect fake infections on a clean system and display alerts message, WinCoDecPRO displays fake codec error, redirecting infected user to WinCoDecPRO web site.

When Trying to run Windows Media Player, the malware closes it and displays a messagebox, choosing the text in a hardcoded list:



It also display regularly popups alerts:









The modified wallpaper: